The hidden threats facing your unsupported XP devices

Exorbitant custom support deal fees may not be the highest costs organisations running Windows
XP will face after support ends in April.

Microsoft support for its Windows
XP operating system (OS) ends on 8 April 2014. After this date, the software publisher will
provide security updates until 14
July 2015.

Organisations still running Windows XP after April 2014 will have to pay substantial fees to
Microsoft if they want a custom support contract, so what are the options for the company still
running its business on the OS?

The fees for a custom support contract are anticipated to be significant. Although terms will
depend on the particular deal struck with Microsoft, analyst organisation IDC predicts users can
expect to pay $200 per PC per year for custom XP support in the first year, rising to $400 per PC
in 2015 and $1,000 per PC in 2016.

The Licensing implications of virtualisation

Analyst firm Gartner warns that, while virtualisation certainly offers options for IT
departments looking to circumnavigate problems arising from Microsoft’s end of support for XP, the
software company considers virtualising the browser a violation to its licensing terms and
conditions, so the IT department will need to check what is covered under its licence
agreement.

Hosting IE6 or 7 in virtual desktop infrastructure is permitted. According to Citrix, putting an
XP image in the XenClient Type-1 hypervisor, for example, and using the browser would work, but
support for this ends very soon. Microsoft does not permit using App Streaming/App-V to isolate the
browser in a package. Citrix says many thousands of users today use XenApp to publish IE6/7 for
exactly this purpose and it does not break licensing rules.

Any business or public sector department running a large XP installed base will quickly see its
IT budget eaten up by these significant support costs.

Analyst company Gartner estimates that more than 15% of mid-size and large enterprises will
still have Windows
XP running on at least 10% of their PCs after Microsoft support ends.

Security is the most pressing issue the IT department will face when XP support ends. Even after
the SP2 release in 2004 – which hardened Windows XP – its security model was regarded as vastly
inferior to Windows 7 and Windows 8.

In an organisation with 1,000 PCs, Citrix estimates that 9.1% will be compromised by XP security
failings. When XP support ends, some experts believe the unsupported OS will become the target of
increased attacks. The alerts published in Microsoft’s Patch Tuesday updates may act as a catalyst,
spurring hackers to target vulnerabilities in XP.

Organisations’ reliance on XP

But why have IT departments left it so late to address the issue? Windows XP dates back to 2001.
Microsoft stopped selling it in 2008, at which point the support clock began ticking. 7 April 2014
will be the last day Microsoft fully supports the OS. But at their launch, Windows XP and XP
Professional OSs represented a concerted effort to deliver a consistent desktop OS for home and
business users. Software providers were encouraged to create XP applications for the internet-ready
OS. The Internet Explorer 6 (IE6) browser was built-in, enabling browser-based applications.

Gary Schare, president of Browsium
– a company that makes browser emulation technology – says that, when XP came out in 2001, everyone
had just completed Y2K and there was a big push to move to web technology, because people wanted to
move from client server to web applications. They wanted to avoid lock-in but, according to Schare:
“IE6 was super proprietary, and was tied to Windows.”

The organisation that has not paid attention to the end of support for XP is probably not the
type of organisation that is concerned about security

Commenting on a previous XP OS support article, one Computer Weekly reader noted: “It’s going to
be XP for the next few years at least. The reason is simple. At least 60% of my apps don’t work on
the newer flavours of Windows, and I really don’t feel like shelling out another couple of thousand
to get the newer versions. What I have works, and I see no reason to line Microsoft’s pockets any
more than I already have. Like a lot of others, I will migrate when, and only when, I have
absolutely no other viable alternative.”

Another reader said he still ships hundreds of industrial XP boxes a year. “We’re getting XP
licences under the Windows Embedded programme until at least December 2016. Microsoft could easily
support XP for years until they produce something consumers actually want.”

Browser challenge and virtualisation

Clearly, some applications have been modernised to suit more recent OSs, such as Windows 7, but
it has been the browser that has created the most problems for IT departments. Quocirca analyst
Clive Longbottom points out that figures from sites that attract large numbers of hits from a broad
range of users show that 5% of desktops worldwide remain on IE6, or approximately one in four of
all desktops running XP.

A product such as Browsium Ion controls settings in a native browser to enable legacy apps to
work. It injects Javascript to get around incompatibility.

Another option which may work in the interim, is to virtualise the XP environment, using a
product such as Citrix XenDesktop to run virtual XP on top of a Windows 7 environment, or to build
a hosted virtual desktop environment. So long as the virtual XP environment is not given free reign
to access everything on the internet, this may prove a secure way to maintain access to certain
core XP and IE6 applications that cannot be migrated.

“We are seeing people continue to virtualise XP applications and use AppDNA [a Citrix product to
identify OS compatibility issues] to identify application compatibility,” says Jason Tooley, UK
manager at Citrix. “We are seeing companies approaching the deadline with challenges of migrations
that have effectively run out of time for a true migration to Windows 7/8. They will have to run XP
applications in a Citrix virtual environment.”

IT departments can also run XP using Remote Desktop Services (RDS) on Windows Server 2003, which
Microsoft will support until 7 April 2015, giving another year of support.

Citrix’s Tooley says some of the company’s XP customers have been running RDS on Windows Server
2003 using XenApp 4.5. “Our extended support dates for XenApp 4.5 – the version that supports
WS2k3/R2 – aligns with Microsoft’s extended support dates.”

Mitigate security risk

If virtualisation is not practical, Gartner recommends IT departments segregate their corporate
local area network, so the XP-based PCs effectively live on a private network. This will limit the
extent to which a hacker can use a compromised XP machine to gain access to the wider corporate
network.

What is clear from all the advice on running the unsupported XP OS is that the environment
should be locked down, with a whitelist of authorised applications and kept in a known state, which
enables the XP machine to be rebuilt easily. As one reader points out: “Knowing how your computer
works is by far the most effective defence against security problems. Hiding things under ever more
complex layers of software is a sure-fire way to get yourself stuck in a security pothole.”

So the issue fundamentally boils down to simplicity. A known environment is more secure than one
where the user is free to download software from the internet – or indeed install anything
else.

According to Gartner research vice-president Stephen Kleynhans, the strategy to keep XP secure
will depend on the machines in question. “The key thing to do is limit the opportunities for new
malicious code to get on those devices, then harden them so that, if they are exposed, there is
some line of protection,” he says.

Like Y2K, 8 April 2014 represents a line in the sand for which the entire industry needs to
prepare. “Generally, people know what they have to do,” says Kleynhans.

To harden the machine, ensure antivirus (AV) software is supported and up to date. Most big AV
companies say they will support the XP OS for some time, but Kleynhans counsels organisations not
to expect security support beyond 14 July 2015. During this time, users will probably get signature
updates for new threats.

It is a lot of work and it may be as much work as converting to Windows 7. But the organisation
that has not paid attention to the implications of the end of support for XP is probably not the
type of organisation that is concerned about security.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.